Security Issues for Bioinformatics
Prof. Steven A. Demurjian, Sr.
Director, CSE Graduate Program
Computer Science & Engineering Department
The University of Connecticut
191 Auditorium Road, Box U-155
Storrs, CT 06269-3155
steve@engr.uconn.edu
http://www.engr.uconn.edu/~steve
http://www.engr.uconn.edu/~steve/DSEC/dsec.html
(860) 486 - 4818
UConnBI-BC-1
Medical Informatics




Security Requirements for Medical Records
Privacy vs. Availability
All Aspects of Security for Medical Information
 Treatment and Long-Term Care
 Insurance Claims and Future Insurability
 Nationalization of Medical Information
Critical Aspect of Dynamic Coalition Problem (DCP)
 DCP - Security, Resource, and Information Sharing
Risks for Alliance of Governmental, Military,
Civilian, and International Organizations
 Bring Together Divergent Requirements to Support
Life-Threatening Situation
 Rapid Availability of Patient Data in Emergency
Situations
UConnBI-BC-2
Dynamic Coalitions for Medical Informatics
Smallpox Outbreak in U.S.
Transportation
Red
Cross
Govt.
Pharma.
Companies
MDs w/o
Borders
Military
Medics
Govt.
Local
Health
Care
CDC
EMTs
GOALS:
Securely Leverage Information in a
Fluid Environment
Protect Information While Simultaneously
Promoting the Coalition
RNs
MDs
Other
State
Health
UConnBI-BC-3
Public Policy on Security



How do we Protect a Person’s DNA?
 Who Owns a Person’s DNA?
 Who Can Profit from Person’s DNA?
 Can Person’s DNA be Used to Deny Insurance?
Employment? Etc.
 How do you Define Security Limitations/Access?
Can DNA Repositories be Anonymously Available for
Medical Research?
 Do Societal Needs Trump Individual Rights?
 Can DNA be Made Available Anonymously for
Medical Research?
 International Repository Might Allow Medical
Researchers Access to Large Enough Data Set for
Rare Conditions (e.g., Orphan Drug Act)
Individual Rights vs. Medical Advances
UConnBI-BC-4
Security Solutions for Systems/Databases
Pfizer
UConn
Health
Center
UConn
Storrs
Johns
Yale
Hopkins
Bayer
Info. Sharing - Joint R&D
Company and University Partnerships
Collaborative Funding Opportunities
Retrofit Security Infrastructure
Cohesive and Trusted Environment
Existing Systems/Databases
and New Applications
How do you Protect Commercial Interests?
Promote Research Advancement?
Free Read for Some Data/Limited for Other?
Commercialization vs. Intellectual Property?
NIH
FDA
NSF
Balancing Cooperation with Propriety
UConnBI-BC-5
What are Key Security Concepts?


Assurance
 Are the Security Privileges for Each User
Adequate (and Limited) to Support their Needs?
 What Guarantees are Given by the Security Infrastructure regarding Privileges vs. Information?
Consistency
 Are the Defined Security Privileges for Each User
Internally Consistent?
 Least-Privilege Principle: Just Enough Access

Are the Defined Security Privileges for Related
Users Globally Consistent?
 Mutual-Exclusion: Read for Some-Write for Others


Role-Based Access Control - User Focused
Mandatory Access Control - Data Focused
UConnBI-BC-6
What are Key Security Concepts?





Authentication
 Is the User who S/he Says they are?
Authorization
 Does the User have Permission to do what S/he
Wants?
Privacy
 Is Anyone Intercepting User/Server or User/User
Communications?
Enforcement Mechanism
 Centralized and Distributed “Code”
 Enforces Security Policy at Runtime
 For Existing (Retrofit) and New Systems/Clients
Ongoing Research Project in Security
http://www.engr.uconn.edu/~steve/DSEC/dsec.html
UConnBI-BC-7